Configuring Message-Level Security 2-91
sp:EncryptedParts sp:Body
sp:EncryptedParts wsp:ExactlyOne
wsp:Policy
2.21.2.4 Smart Policy Selection for a Standalone Client
You can set the policy selection preference via the stub property. The following example sets the stub property for security, compatibility, and
performance preferences: stub._setPropertyWLStub.POLICY_SELECTION_PREFERENCE,
WLStub.PREFERENCE_SECURITY_COMPATIBILITY_PERFORMANCE; If the policy selection preference is not set, then the default preference None is used.
2.21.3 Multiple Transport Assertions
If there are multiple available transport-level assertions in your security policies, WebLogic Server uses the policy that requires https. If more than one policy alternative
requires https, WebLogic Server randomly picks one of them. You should therefore avoid using multiple policy alternatives that contain mixed transport-level policy
assertions.
2.22 Example of Adding Security to MTOM Web Service
As described in Optimizing Binary Data Transmission Using MTOMXOP, SOAP Message Transmission Optimization MechanismXML-binary Optimized Packaging
MTOMXOP defines a method for optimizing the transmission of XML data of type xs:base64Binary or xs:hexBinary in SOAP messages.
This section describes a combination of two examples that are already included with WebLogic Server:
■
WL_ HOME
\samples\server\examples\src\examples\webservices\wss1.1
■
WL_HOME \samples\server\examples\src\examples\webservices\mtom
These existing examples include functional code and extensive instructions.html files that describes their use and function, how to build them, and so forth. This
section does not repeat that information, but instead concentrates on the changes made to these examples, and the reasons for the changes.
2.22.1 Files Used by This Example
The example uses the files shown in Table 2–1
. The contents of the source files are shown in subsequent sections.
Note: The example shows adding security to a JAX-RPC Web
service. In this release, MTOM with WS-Security is supported for both JAX-WS and JAX-RPC.
2-92 Securing WebLogic Web Services for Oracle WebLogic Server
2.22.2 SecurityMtomService.java
The SecurityMtomService.java JWS file is the same as that in WL_ HOME
\samples\server\examples\src\examples\webservices\mtom\MtomS ervice.java, with the additional Policy annotations shown in bold.
Example 2–25 SecurityMtomService.java
package examples.webservices.security_mtom; import weblogic.jws.Binding;
import weblogic.jws.Policy; import weblogic.jws.Policies;
import weblogic.jws.Context; import weblogic.jws.WLDeployment;
import weblogic.wsee.jws.JwsContext; import weblogic.wsee.mtom.api.MtomPolicyInfo;
import weblogic.wsee.mtom.api.MtomPolicyInfoFactory; import weblogic.wsee.policy.framework.PolicyException;
import javax.jws.WebService; import javax.jws.WebMethod;
import java.rmi.RemoteException;
Sample to MTOM with JAX-RPC
Table 2–12 Files Used in MTOMSecurity Example
File Description
build.xml Ant build file that contains targets for building and running the
example. configWss.py
WLST script that configures a Web service security configuration. This file is copied without change from WL_
HOME \samples\server\examples\src\examples\webs
ervices\wss1.1 MtomClient.java
Standalone client application that invokes the MTOM Web service. This file uses the JAX-RPC Stubs generated by
clientgen, based on the WSDL of the Web service. SecurityMtomService.jav
a JWS file that implements the MTOM Web service. The JWS file
uses the Policy annotation to specify the WS-Policy files that are associated with the Web service.
clientkeyStore.jks Client-side key store, used to create a client-side
BinarySecurityToken credential provider. This file is copied without change from WL_
HOME \samples\server\examples\src\examples\webs
ervices\wss1.1\certs serverkeyStore.jks
Server-side key store, used to create a Server-side BinarySecurityToken credential provider.
This file is copied without change from WL_ HOME
\samples\server\examples\src\examples\webs ervices\wss1.1\certs
testServerCertTempCert. der
Server-side certificate, used to create a client-side BinarySecurityToken credential provider.
This file is copied without change from WL_ HOME
\samples\server\examples\src\examples\webs ervices\wss1.1\certs
Configuring Message-Level Security 2-93
author Copyright © 1996, 2008, Oracle andor its affiliates. All rights reserved.
WebService BindingBinding.Type.SOAP12
enable WSS + MTOM for this web service by adding the following canned policy files
Policies{ Policyuri = policy:Mtom.xml,
Policyuri = policy:Wssp1.2-2007-SignBody.xml, Policyuri = policy:Wssp1.2-2007-EncryptBody.xml,
Policyuri = policy:Wssp1.2-Wss1.1-EncryptedKey.xml
} public class SecurityMtomService {
public SecurityMtomService { }
Input is sent as XOPed binary octet stream param bytes input bytes
return A simple String WebMethod
public String echoBinaryAsStringbyte[] bytes { return new Stringbytes;
}
Output is sent as as XOPed binary octet stream param s a simple String
return byte[] WebMethod
public byte[] echoStringAsBinaryString s { return s.getBytes;
}
input byte[] is sent as as XOPed binary octet stream param array input byte[] array
return String[] WebMethod
public String[] echoBinaryArrayAsStringArraybyte[] array { String[] strings = new String[1];
strings[0] = new Stringarray; return strings;
} }
You can specify the Policy annotation at both the class- and method- level. In this example, the annotation is used at the class-level to specify the predefined WS-Policy
files, which means all public operations of the Web service are associated with the specified WS-Policy files.
2-94 Securing WebLogic Web Services for Oracle WebLogic Server
You use the Policies annotation to group together multiple Policy annotations. You can specify this annotation at both the class- and method-level. In this example, the
annotation is used at the class-level to group the four Policy annotations that specify the predefined WS-Policy files:
■
The predefined WS-Policy file Mtom.xml enables MTOM encoding.
■
As described in Section 2.16.2, Protection Assertion Policies
, the Wssp1.2-2007-SignBody.xml policy file specifies that the body and WebLogic
system headers of both the request and response SOAP message be digitally signed.
■
The Wssp1.2-2007-EncryptBody.xml policy file specifies that the body of both the request and response SOAP messages be encrypted.
■
The Wssp1.2-Wss1.1-EncryptedKey.xml symmetric binding policy uses the WS-Security 1.1 Encrypted Key feature. The client application invoking the Web
service must use the encrypted key to encrypt and sign, and the server must send Signature Confirmation.
2.22.3 MtomClient.java